Requirements

References

Claimed proofs

Burrows, Abadi and Needham [BAN] prove the correctness of the protocol
in the sense of their logical framework. However, they point out a possible
replay attack which, according to them, could be avoided by using
timestamps.

Claimed attacks

An intruder I may impersonate A, by inciting A to initiate a second
session[Low95]. In the following, we ignore the message exchanges
with the public key server and only consider messages between the
principals A and B, and the intruder I.
We assume that the intruder I possesses a key pair
(KPi, KSi), and we may also assume that every principal
knows the public keys KPa, KPb and KPi.

i.3.

A

->

I

:

{Na,A}KPi

ii.3.

I(A)

->

B

:

{Na,A}KPb

ii.6.

B

->

I(A)

:

{Na,Nb}KPa

i.6.

I

->

A

:

{Na,Nb}KPa

i.7.

A

->

I

:

{Nb}KPi

ii.7.

I(A)

->

B

:

{Nb}KPb

Remark

It has been proposed to fix the protocol by including the respondent's
identity in the response [Low95].